NHS software vendor Advanced has confirmed it suffered a ransomware attack that resulted in the theft of sensitive customer data.
The company says an unknown threat actor used “legitimate third-party credentials” which gave them the ability to establish a remote desktop (RDP) session to the Staffplan Citrix server.
From there, the attackers moved laterally throughout the network, escalating privileges where necessary to map the entire network, identify crucial endpoints, as well as pivotal data.
Cutting out the attackers
Two days later, after exfiltrating enough sensitive files, the group deployed LockBit 3.0, a known and potent ransomware variant that encrypted all of the data on the network.
Advanced said the group was financially motivated, but did not detail how much money it demanded for the decryption key and the return of data, nor whether or not it paid.
As soon as Advanced realized it was being attacked, it disconnected all of its systems from the internet.
While that stopped further escalation of the attack, it also temporarily prevented customers and users from accessing the systems. As a result, the company then proceeded to re-establish the network in a “separate, secure, and new environment.”
In total, the company claims that 16 customers have had their sensitive information stolen. It did not say exactly what this data included, but it did say that the victims were notified in a timely fashion, and that it managed to restore all of the stolen info.
Further describing the recovery process, Advanced said it was able to move relatively fast, but still needed to satisfy government processes.
“Although we were equipped and able to completely rebuild certain health and care products by the Monday following the incident, we were required to satisfy an assurance process set forth by our partners at the NCSC, NHS, and NHS Digital.”
It said that this process proved to be time-consuming, and cumbersome.
“As we learned more about this assurance process and adjusted in real time to meet certain requirements, it took longer than expected, which has impacted our overall recovery timeline. We have prioritized safety and security during every step of our recovery process,” it was said.
“As we work through scanning and clearing systems, we are in parallel continuing to assess and/or develop recovery plans for remaining impacted products,” it concluded.
Here’s our rundown of the best malware around